From 7deb79eea724ba681c1018923f5336dce4a1e9a4 Mon Sep 17 00:00:00 2001 From: David Thompson Date: Tue, 2 Mar 2021 20:20:10 -0500 Subject: takemi: Fix issues with deploying and cgit repo access. --- signing-key.pub | 6 ++++++ takemi.scm | 67 +++++++++++++++++++++++++++++++++++++++++++++++++++++---- 2 files changed, 69 insertions(+), 4 deletions(-) create mode 100644 signing-key.pub diff --git a/signing-key.pub b/signing-key.pub new file mode 100644 index 0000000..a115953 --- /dev/null +++ b/signing-key.pub @@ -0,0 +1,6 @@ +(public-key + (ecc + (curve Ed25519) + (q #CB65A917945D0ECA62BC5CC9A5F09B6FA421CAF90BF6EEC36107691D6DF0B543#) + ) + ) diff --git a/takemi.scm b/takemi.scm index e2de19f..7e283f8 100644 --- a/takemi.scm +++ b/takemi.scm @@ -7,6 +7,32 @@ "/etc/letsencrypt/live/dthompson.us/privkey.pem") (define dave-pub-key (local-file "dave.pub")) +(define nginx-accounts + (list (user-group (name "nginx") (system? #t)) + (user-account + (name "nginx") + (group "nginx") + (supplementary-groups '("git")) + (system? #t) + (comment "nginx server user") + (home-directory "/var/empty") + (shell (file-append (specification->package "shadow") + "/sbin/nologin"))))) + +;; Need to override the default nginx service account configuration so +;; that the nginx user is a member of the git group. +(define nginx-service-type* + (service-type + (inherit nginx-service-type) + (extensions + (map (lambda (extension) + (if (eq? (service-extension-target extension) + account-service-type) + (service-extension account-service-type + (const nginx-accounts)) + extension)) + (service-type-extensions nginx-service-type))))) + (define takemi-os (operating-system (locale "en_US.utf8") @@ -58,7 +84,19 @@ ;; cgit will work. (umask #o0027) (git-config-keys "gitweb\\..*"))))) - (service certbot-service-type + (service (service-type + (inherit certbot-service-type) + (extensions + ;; Replace original nginx-service-type with + ;; our modified one. + (map (lambda (extension) + (if (eq? (service-extension-target extension) + nginx-service-type) + (service-extension nginx-service-type* + (@@ (gnu services certbot) + certbot-nginx-server-configurations)) + extension)) + (service-type-extensions certbot-service-type)))) (certbot-configuration (email "dthompson2@worcester.edu") (certificates @@ -78,7 +116,7 @@ read))) (kill pid SIGHUP))))))) (webroot "/var/www/certbot"))) - (service nginx-service-type + (service nginx-service-type* (nginx-configuration (server-blocks (list (nginx-server-configuration @@ -100,7 +138,18 @@ ;; repos. (group "git"))) (let ((cgit (specification->package "cgit"))) - (service cgit-service-type + (service (service-type + (inherit cgit-service-type) + (extensions + ;; Replace original nginx-service-type with + ;; our modified one. + (map (lambda (extension) + (if (eq? (service-extension-target extension) + nginx-service-type) + (service-extension nginx-service-type* + cgit-configuration-nginx-config) + extension)) + (service-type-extensions cgit-service-type)))) (cgit-configuration (project-list "/var/lib/gitolite/projects.list") (repository-directory "/var/lib/gitolite/repositories") @@ -135,7 +184,17 @@ (try-files (list "$uri" "@cgit")) (ssl-certificate letsencrypt-cert) (ssl-certificate-key letsencrypt-cert-key)))))))) - %base-services)) + ;; For some reason I have to override the guix service config to + ;; authorize my local signing key even though I've already + ;; authorized it on the server in the past... + (map (lambda (s) + (if (eq? (service-kind s) guix-service-type) + (service guix-service-type + (guix-configuration + (authorized-keys (cons (local-file "signing-key.pub") + %default-authorized-guix-keys)))) + s)) + %base-services))) (bootloader (bootloader-configuration (bootloader grub-bootloader) -- cgit v1.2.3